Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege. |
|
.003 | Sudo and Sudo Caching |
The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege. |
||
.006 | TCC Manipulation |
When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy. |
||
Enterprise | T1098 | Account Manipulation |
Restrict access to potentially sensitive files that deal with authentication and/or authorization. |
|
.004 | SSH Authorized Keys |
Restrict access to the |
||
Enterprise | T1547 | .003 | Boot or Logon Autostart Execution: Time Providers |
Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. [1] |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Applying strict permissions to directories where shortcuts are stored, such as the startup folder, can prevent unauthorized modifications. |
||
.013 | Boot or Logon Autostart Execution: XDG Autostart Entries |
Restrict write access to XDG autostart entries to only select privileged users. |
||
Enterprise | T1037 | Boot or Logon Initialization Scripts |
Restrict write access to logon scripts to specific administrators. |
|
.002 | Login Hook |
Restrict write access to logon scripts to specific administrators. |
||
.003 | Network Logon Script |
Restrict write access to logon scripts to specific administrators. |
||
.004 | RC Scripts |
Limit privileges of user accounts so only authorized users can edit the rc.common file. |
||
.005 | Startup Items |
Since StartupItems are deprecated, preventing all users from writing to the |
||
Enterprise | T1543 | Create or Modify System Process |
Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services. |
|
.001 | Launch Agent |
Set group policies to restrict file permissions to the |
||
.002 | Systemd Service |
Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. |
||
Enterprise | T1530 | Data from Cloud Storage |
Use access control lists on storage systems and objects. |
|
Enterprise | T1565 | Data Manipulation |
Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
|
.001 | Stored Data Manipulation |
Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
||
.003 | Runtime Data Manipulation |
Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. |
||
Enterprise | T1546 | .004 | Event Triggered Execution: Unix Shell Configuration Modification |
Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
.013 | Event Triggered Execution: PowerShell Profile |
Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
||
Enterprise | T1048 | Exfiltration Over Alternative Protocol |
Use access control lists on cloud storage systems and objects. |
|
Enterprise | T1222 | File and Directory Permissions Modification |
Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.[3] |
|
.001 | Windows File and Directory Permissions Modification |
Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
||
.002 | Linux and Mac File and Directory Permissions Modification |
Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
||
Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. [4] |
Enterprise | T1574 | Hijack Execution Flow |
Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders. |
|
.004 | Dylib Hijacking |
Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. |
||
.007 | Path Interception by PATH Environment Variable |
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
||
.008 | Path Interception by Search Order Hijacking |
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
||
.009 | Path Interception by Unquoted Path |
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
||
.014 | AppDomainManager |
Install .NET applications and related software in write-protected locations. Set directory access controls to prevent file writes to the search paths for .NET applications, both in the folders where applications are run from and the standard resources folders. |
||
Enterprise | T1562 | Impair Defenses |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
|
.001 | Disable or Modify Tools |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. |
||
.002 | Disable Windows Event Logging |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at |
||
.004 | Disable or Modify System Firewall |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
||
.006 | Indicator Blocking |
Ensure event tracers/forwarders [6], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. |
||
Enterprise | T1070 | Indicator Removal |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
|
.001 | Clear Windows Event Logs |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
||
.002 | Clear Linux or Mac System Logs |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
||
.003 | Clear Command History |
Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their |
||
.008 | Clear Mailbox Data |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
||
.009 | Clear Persistence |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
||
Enterprise | T1036 | Masquerading |
Use file system access controls to protect folders such as C:\Windows\System32. |
|
.003 | Rename System Utilities |
Use file system access controls to protect folders such as C:\Windows\System32. |
||
.005 | Match Legitimate Name or Location |
Use file system access controls to protect folders such as C:\Windows\System32. |
||
Enterprise | T1556 | Modify Authentication Process |
Restrict write access to the |
|
Enterprise | T1055 | .009 | Process Injection: Proc Memory |
Restrict the permissions on sensitive files such as |
Enterprise | T1563 | .001 | Remote Service Session Hijacking: SSH Hijacking |
Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. |
Enterprise | T1053 | Scheduled Task/Job |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
|
.006 | Systemd Timers |
Restrict read/write access to systemd |
||
Enterprise | T1489 | Service Stop |
Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
|
Enterprise | T1553 | .003 | Subvert Trust Controls: SIP and Trust Provider Hijacking |
Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories. |
Enterprise | T1218 | .002 | System Binary Proxy Execution: Control Panel |
Restrict storage and execution of Control Panel items to protected directories, such as |
Enterprise | T1569 | System Services |
Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
|
.002 | Service Execution |
Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
||
Enterprise | T1080 | Taint Shared Content |
Protect shared folders by minimizing users who have write access. |
|
Enterprise | T1552 | Unsecured Credentials |
Restrict file shares to specific directories with access only to necessary users. |
|
.001 | Credentials In Files |
Restrict file shares to specific directories with access only to necessary users. |
||
.004 | Private Keys |
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the |